Return-Path: X-Original-To: tls@mail2.ietf.org Delivered-To: tls@mail2.ietf.org Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 658068B0186D for ; Mon, 17 Nov 2025 07:17:42 -0800 (PST) X-Virus-Scanned: amavisd-new at ietf.org X-Spam-Flag: NO X-Spam-Score: -1.897 X-Spam-Level: X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3kF7IIBlabcN for ; Mon, 17 Nov 2025 07:17:40 -0800 (PST) Received: from mail-yx1-xb131.google.com (mail-yx1-xb131.google.com [IPv6:2607:f8b0:4864:20::b131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id B3DEF8B0177B for ; Mon, 17 Nov 2025 07:17:13 -0800 (PST) Received: by mail-yx1-xb131.google.com with SMTP id 956f58d0204a3-63f97ab5cfcso3613956d50.0 for ; Mon, 17 Nov 2025 07:17:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1763392633; x=1763997433; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=eejZC81JWk99ccArLwukB9Nrijay6+wYw5jhKzzVAmc=; b=Wjw4HWFHYNgn3yOfRB5fmGvvt8KYo8uiCzKGJWsFpb4KE4J8d5X08Se/+XEVI6vqyr nhM/iozbeFE24zEdvvEq3pslOwTJikDQpWZyfWrr46MHWLYLqrkm0AvaS/9SypH7/MOw aMfWLXiqauHxIQwYymrVUvdxJqsXDPoAzYdS2mvI5XEcl1Xt6KCtZH/QEWzrzo5ycu3p UwR4GJiOBF1UX5CZ/dppP7bif0z8qBRQOWoa15h9ainJWxcMkdnpjnRP89QQoHvtCHeW vDT2chemAh70Xxmx9elBvOTJvAQzrcg4K5TBOuVQAcbw54UamBXO8EOu/YGeI9StaP3n RVNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763392633; x=1763997433; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=eejZC81JWk99ccArLwukB9Nrijay6+wYw5jhKzzVAmc=; b=uBO4b6qXNYn0dxxtVJYeRZ1OwqbLHmI7llBhJkBdClE+V19WowsoFnlkDdBk33dEPv UpxcKYwr1dLor2gIGxGrqThJp7FPTT0FgFlgrFebD+AjDLkXlFxpyYtz+LaE5X6u8KL8 9nCW1PMntvteTHkidf8OskhQB9BXm1xvAeKbQTGOdaw9QDx3m/eep38r9sCuOQ1MbWPN 1QVksD6eQz1t39YchNsawrRqwx+Rmk7uC1L+RptPn09TVKflMzNKMdWnaflFWDp6mLza 7rxrdf3F7k1MhryoKBIX+pzrJN31YiYzjMaX/FA3dBzeX5A0ck1sIv7JeDiqeObyvSt/ 9QlQ== X-Forwarded-Encrypted: i=1; AJvYcCXjCFvDwsS+6GepYNQGiII2lxQ2ukpnIEyT65YxQ79LsaQEtl2ZCjfk73pP0tug2EAFLSk=@ietf.org X-Gm-Message-State: AOJu0YwykRC/bbyrVlsYA8Tj4e51GU5fX+yAd3BlT4TvENVBppLB+kGh nF92dQm/fFemmOpmkxc7hkbMUnNJ2xB/KUPVvzhuaZeuCEBoolSIw/pcHXtNKX+biHG9zZ112iP eywAtRd6sSDQzTXlZu6ziRtfXzdnNWuj6D40asnYDHQ== X-Gm-Gg: ASbGncs/tzZM/QKVayAwU4cS/LcX9Db4LotalUDnEwR35JF8uj0igUCSkaoQDgbUxYd /UZ2vo/DtsYFdfMQ+oA3AhHG9lCz7ZStquoFH5MAGqyC+/0LPaHGuRudJ05yRZn8o2NhSZY51Gd O2+NIOyF8AA4E+AKqy8SLXeDjFAiGbb4ssRa+Z//kN2RS0ek09y0ceFmK2djldWi9rizwzZ2Bdo XPlLxW06DBDb08a+R8+kfPqgwrDIggvWTd3YqJiwlpSO+QSKCsHmeAOa6Wg4OXFe19DIzsp/Kmp Pftnej/y9IPi9TVECRO2tSAVuxus0wgWbcAX1sIk+szo1wnWNZDD5aftVr4tuo5nokRL+d+jgc2 PBWIa+z7JTr7+rs9ifP7y X-Google-Smtp-Source: AGHT+IFa2gqJWBIBEzz9K1MZiVWQ4QttsORYLI03YSpOwiuoXYchfCKU4WeEU4FLyCYGu6DPLpXW+aKFxUHYyEUMnag= X-Received: by 2002:a05:690e:d06:b0:63f:b366:98d5 with SMTP id 956f58d0204a3-641e74a4abemr9444074d50.9.1763392632786; Mon, 17 Nov 2025 07:17:12 -0800 (PST) MIME-Version: 1.0 References: <176337010705.746218.8450704875232198278@dt-datatracker-5bd94c585b-wk4l4> In-Reply-To: From: Eric Rescorla Date: Mon, 17 Nov 2025 07:16:34 -0800 X-Gm-Features: AWmQ_bnst1cxKoiKXVhWvdVGHwAUO6bchXACLB1SDxsvdiPkPERzv7nm5nP8J_E Message-ID: To: mohamed.boucadair@orange.com Content-Type: multipart/alternative; boundary="0000000000007a1f820643cbd791" Message-ID-Hash: FT2DOC5YVDQF3VRSSLGQZ3LSOUCFEWUJ X-Message-ID-Hash: FT2DOC5YVDQF3VRSSLGQZ3LSOUCFEWUJ X-MailFrom: ekr@rtfm.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: The IESG , "draft-ietf-tls-tls13-pkcs1@ietf.org" , "tls-chairs@ietf.org" , "tls@ietf.org" X-Mailman-Version: 3.3.9rc6 Precedence: list Subject: =?utf-8?q?=5BTLS=5D_Re=3A_Mohamed_Boucadair=27s_Discuss_on_draft-ietf-tls-tl?= =?utf-8?q?s13-pkcs1-06=3A_=28with_DISCUSS_and_COMMENT=29?= List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --0000000000007a1f820643cbd791 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Nov 17, 2025 at 6:42=E2=80=AFAM wrot= e: > Re-, > > > > I think there is a disconnect here. > > > > My DISCUSS point is clear: how can you make use of > draft-ietf-tls-tls13-pkcs without relaxing what is the base spec? > And this document does so, regardless of whether 8446 is updated. It permits servers to advertise support and clients to negotiate it. That overrides the text in 8446. > Great to hear that you =E2=80=9Ccan clarify this point there in AUTH48=E2= =80=9D, but > that=E2=80=99s not sufficient to clear my DISCUSS. I would appreciate if = you can > share the proposed change so that we can move on. Thanks. > https://github.com/tlswg/tls13-spec/pull/1399/files Please clear your DISCUSS. -Ekr > > > Cheers, > > Med > > > > *De :* Eric Rescorla > *Envoy=C3=A9 :* lundi 17 novembre 2025 15:32 > *=C3=80 :* BOUCADAIR Mohamed INNOV/NET > *Cc :* The IESG ; draft-ietf-tls-tls13-pkcs1@ietf.org; > tls-chairs@ietf.org; tls@ietf.org > *Objet :* Re: [TLS] Mohamed Boucadair's Discuss on > draft-ietf-tls-tls13-pkcs1-06: (with DISCUSS and COMMENT) > > > > > > > > > > On Mon, Nov 17, 2025 at 6:13=E2=80=AFAM wr= ote: > > Eric, > > > > Hmm. > > > > As you ask, this falls under technical/implementation issue as it relates > to how the intended feature can provided given the restriction in the bis= . > > > > I do not agree with this statement. The document is unambiguous on > what itallows, and adding an "Updates" field will not make it > anymore clear. Moreover, as we've discussed 8446bis is already *ahead* > of this document in the queue,and we can clarify this point there in > AUTH48. > > I appreciate that you would prefer a different resolution, but this > seems tome to fall rather under the following non-criteria: > > "Disagreement with informed WG decisions that do not exhibit problems > outlined in Section 3.1 (DISCUSS Criteria). In other words, > disagreement in preferences among technically sound approaches." > > as well as: > > "Pedantic corrections to non-normative text. Oftentimes, poor phrasing > or misunderstandings in descriptive text are corrected during IESG > review. However, if these corrections are not essential to the > implementation of the specification, these should not be blocking > comments." > > Accordingly, I would ask you to remove your discuss and allow this > > document to proceed. > > > -Ekr > > > > Cheers, > > Med > > > > *De :* Eric Rescorla > *Envoy=C3=A9 :* lundi 17 novembre 2025 15:01 > *=C3=80 :* BOUCADAIR Mohamed INNOV/NET > *Cc :* The IESG ; draft-ietf-tls-tls13-pkcs1@ietf.org; > tls-chairs@ietf.org; tls@ietf.org > *Objet :* Re: [TLS] Mohamed Boucadair's Discuss on > draft-ietf-tls-tls13-pkcs1-06: (with DISCUSS and COMMENT) > > > > > > > > > > On Mon, Nov 17, 2025 at 1:02=E2=80=AFAM Mohamed Boucadair via Datatracker= < > noreply@ietf.org> wrote: > > Mohamed Boucadair has entered the following ballot position for > draft-ietf-tls-tls13-pkcs1-06: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positio= ns/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-tls-tls13-pkcs1/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Hi David and Andrei, > > Thank you for the effort put into this specification. > > Updated the ballot [1] to take into account the feedback received so far > (including off-list clarification from Paul; Thanks). > > The only pending point is: > > # Update RFC8446/RFC8446bis > > The provisions in this draft relax what used to be disallowed in > 8446/8446bis. > This reads like an update. > > Specifically, this part from RFC8446bis: > > and > > In addition, the signature algorithm MUST be compatible with the key > in the sender's end-entity certificate. RSA signatures MUST use an > RSASSA-PSS algorithm, regardless of whether RSASSA-PKCS1-v1_5 > algorithms appear in "signature_algorithms". > > > > Can you please identify which DISCUSS criteria item you believe this > > DISCUSS corresponds to? > > > > -Ekr > > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > # FIPS 186-4 > > ## Please add a reference > > ## s/with FIPS 186-4/with US FIPS 186-4 > > # TLS Registries > > CURRENT: > IANA is requested to create the following entries in the TLS > SignatureScheme registry, defined in [RFC8446]. > > Isn=E2=80=99t draft-ietf-tls-rfc8447bis authoritative here for registry m= atters? I > would replace the 8446 citation with draft-ietf-tls-rfc8447bis. > > Cheers, > Med > > [1] https://mailarchive.ietf.org/arch/msg/tls/dimNOvXqeIaYflBK7s51J43p80U= / > > > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-leave@ietf.org > > _________________________________________________________________________= ___________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations confid= entielles ou privilegiees et ne doivent donc > > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez re= cu ce message par erreur, veuillez le signaler > > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages = electroniques etant susceptibles d'alteration, > > Orange decline toute responsabilite si ce message a ete altere, deforme o= u falsifie. Merci. > > > > This message and its attachments may contain confidential or privileged i= nformation that may be protected by law; > > they should not be distributed, used or copied without authorisation. > > If you have received this email in error, please notify the sender and de= lete this message and its attachments. > > As emails may be altered, Orange is not liable for messages that have bee= n modified, changed or falsified. > > Thank you. > > _________________________________________________________________________= ___________________________________ > Ce message et ses pieces jointes peuvent contenir des informations confid= entielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez re= cu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages = electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme o= u falsifie. Merci. > > This message and its attachments may contain confidential or privileged i= nformation that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and de= lete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have bee= n modified, changed or falsified. > Thank you. > > --0000000000007a1f820643cbd791 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On = Mon, Nov 17, 2025 at 6:42=E2=80=AFAM <mohamed.boucadair@orange.com> wrote:=

Re-,

=C2=A0

I think there is a disconnect here.

=C2=A0

My DISCUSS point is clear: how can you make u= se of draft-ietf-tls-tls13-pkcs without relaxing what is the base spec?


And this document= =C2=A0does so, regardless of whether 8446 is updated.
It permits = servers to advertise support and clients to negotiate it. That
ov= errides the text in 8446.

=C2=A0
<= div>

Great to hear that you =E2=80=9Ccan clarify t= his point there in AUTH48=E2=80=9D, but that=E2=80=99s not sufficient to cl= ear my DISCUSS. I would appreciate if you can share the proposed change so that we can move on. Thanks.

=

=C2=A0

Please clear your DISCUSS.
-Ekr


=C2=A0

Cheers,

Med

=C2=A0

De=C2=A0: Eric Rescorla <ekr@rtfm.com>
Envoy=C3=A9=C2=A0: lundi 17 novembre 2025 15:32
=C3=80=C2=A0: BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>
Cc=C2=A0: The IESG <iesg@ietf.org>; draft-ietf-tls-tls13-pkcs1@ietf.org; tls-chairs@ietf.org; = tls@ietf.org
Objet=C2=A0: Re: [TLS] Mohamed Boucadair's Discuss on draft-ietf= -tls-tls13-pkcs1-06: (with DISCUSS and COMMENT)

=C2=A0

=C2=A0

=C2=A0

=C2=A0

On Mon, Nov 17, 2025 at 6:13=E2=80=AFAM <mohamed.boucadair@orange.com= > wrote:

Eric,

=C2=A0

Hmm.

=C2=A0

As you ask, this falls under technical/implem= entation issue as it relates to how the intended feature can provided given the restriction in the bis.

=C2=A0

I do not agree with thi= s statement. The document is unambiguous on
what itallows, and adding an "Updates" field will not make it
anymore clear. Moreover, as we've discussed 8446bis is already *ahead*<= br> of this document in the queue,and we can clarify this point there in
AUTH48.

I appreciate that you would prefer a different resolution, but this
seems tome to fall rather under the following non-criteria:
=C2=A0
"Disagreement with informed WG decisions that do not exhibit problems<= br> outlined in Section=C2=A03.1 (DISCUSS Criteria). In other words,
disagreement in preferences among technically sound approaches."

as well as:

"Pedantic corrections to non-normative text. Oftentimes, poor phrasing=
or misunderstandings in descriptive text are corrected during IESG
review. However, if these corrections are not essential to the
implementation of the specification, these should not be blocking
comments."

Accordingly, I would ask you to remove your discuss = and allow this

document to proceed.


-Ekr

=C2=A0

Cheers,

Med

=C2=A0

De=C2=A0: Eric Rescorla <ekr@rtfm.com>
Envoy=C3=A9=C2=A0: lundi 17 novembre 2025 15:01
=C3=80=C2=A0: BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>
Cc=C2=A0: The IESG <iesg@ietf.org>; dr= aft-ietf-tls-tls13-pkcs1@ietf.org; tls-chairs@ietf.or= g; tls@ietf.org
Objet=C2=A0: Re: [TLS] Mohamed Boucadair's Discuss on draft-ietf= -tls-tls13-pkcs1-06: (with DISCUSS and COMMENT)

=C2=A0

=C2=A0

=C2=A0

=C2=A0

On Mon, Nov 17, 2025 at 1:02=E2=80=AFAM Mohamed Boucadair via D= atatracker <norepl= y@ietf.org> wrote:

Mohamed Boucadair has entered the following ballot p= osition for
draft-ietf-tls-tls13-pkcs1-06: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions= /
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-tls-tls13-pkcs1= /



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Hi David and Andrei,

Thank you for the effort put into this specification.

Updated the ballot [1] to take into account the feedback received so far (including off-list clarification from Paul; Thanks).

The only pending point is:

# Update RFC8446/RFC8446bis

The provisions in this draft relax what used to be disallowed in 8446/8446b= is.
This reads like an update.

Specifically, this part from RFC8446bis:

and

=C2=A0 =C2=A0In addition, the signature algorithm MUST be compatible with t= he key
=C2=A0 =C2=A0in the sender's end-entity certificate.=C2=A0 RSA signatur= es MUST use an
=C2=A0 =C2=A0RSASSA-PSS algorithm, regardless of whether RSASSA-PKCS1-v1_5<= br> =C2=A0 =C2=A0algorithms appear in "signature_algorithms".<= u>

=C2=A0

Can you please identify which DISCUSS criteria item = you believe this

DISCUSS corresponds to?

=C2=A0

-Ekr

=C2=A0


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

# FIPS 186-4

## Please add a reference

## s/with FIPS 186-4/with US FIPS 186-4

# TLS Registries

CURRENT:
=C2=A0 =C2=A0IANA is requested to create the following entries in the TLS =C2=A0 =C2=A0SignatureScheme registry, defined in [RFC8446].

Isn=E2=80=99t draft-ietf-tls-rfc8447bis authoritative here for registry mat= ters? I
would replace the 8446 citation with draft-ietf-tls-rfc8447bis.

Cheers,
Med

[1] https://mailarchive.ietf.org/arch/msg/tls/dimNOvXqeIaYflBK7s51J43p80U/<= br>


_______________________________________________
TLS mailing list -- tls@i= etf.org
To unsubscribe send an email to tls-leave@ietf.org

______________________________________________________________________=
______________________________________
Ce message et ses pieces jointes peuvent contenir des informations con=
fidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez=
 recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les me=
ssages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deform=
e ou falsifie. Merci.


=C2=A0


This message and its attachments may contain confidential or privilege=
d information that may be protected by law;


they should not be distributed, used or copied without authorisation.<=
u>


If you have received this email in error, please notify the sender and=
 delete this message and its attachments.


As emails may be altered, Orange is not liable for messages that have =
been modified, changed or falsified.


Thank you.


______________________________________________________________________=
______________________________________
Ce message et ses pieces jointes peuvent contenir des informations confiden=
tielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu=
 ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les message=
s electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou =
falsifie. Merci.

This message and its attachments may contain confidential or privileged inf=
ormation that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and dele=
te this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been =
modified, changed or falsified.
Thank you.
--0000000000007a1f820643cbd791--